Privacy Policy

This Privacy Policy ("Policy") describes how Evidr LLC, operating the Evidr platform, located in New York, New York, United States ("Company," "we," "us," and "our"), collects, uses, shares, and protects personal data when you visit or use our website at https://evidr.com, our console at https://console.evidr.com, and any related services we provide (collectively, the "Services").

Evidr is an AI-powered compliance automation platform that helps organizations achieve and maintain audit readiness across regulatory frameworks including SOC 2 Type I and Type II, ISO 27001, HIPAA, GDPR, PCI DSS, FedRAMP, and others. The platform provides continuous monitoring, automated evidence collection, AI-driven evidence review with confidence scoring, policy generation, vendor risk management, team collaboration workspaces, and auditor access portals. We are committed to protecting your privacy and handling your data in an open, transparent manner.

This Policy applies to all visitors, users, team members, auditors, and others who access the Services. It covers data collected through the marketing website, the console application, API endpoints, integrations with third-party services, and any communications with our support team. By using our Services, you acknowledge that you have read and understood this Policy.

If you have questions or concerns about this Policy, or wish to exercise any of your data protection rights, contact us at [email protected]. We aim to respond to all privacy-related inquiries within 30 calendar days.

2.1 Information you provide

We collect information you voluntarily provide when registering for an account, configuring your compliance workspace, uploading evidence, or communicating with us. This includes:

• Account information - name, email address, organization name, job title, and role when you register for an account. If you sign up using a social login provider, we receive your name and email from that provider.
• Onboarding data - information about your business, industry, technology stack, number of employees, compliance goals, and current security posture provided during our AI-guided onboarding conversation. This may include which frameworks you are pursuing, your cloud providers, and your existing compliance status.
• Compliance evidence - documents, files, screenshots, and data you upload to the platform as compliance evidence, including PDFs, spreadsheets, images, configuration exports, and policy documents. This may contain sensitive business information depending on what you choose to upload.
• Policy and procedure content - text content you create, edit, or generate using our AI-powered policy builder, including information security policies, acceptable use policies, incident response plans, and other compliance documentation.
• Payment information - billing details including name, billing address, and payment method processed through our payment provider (Stripe). We do not store full credit card numbers, CVVs, or complete payment card details on our servers. We retain only the last four digits of your card and expiration date for display purposes.
• Communications - records of correspondence when you contact us via email, support channels, or other means, including the content of your messages, attachments, and metadata.
• Team and collaborator data - names and email addresses of team members you invite to your workspace, along with their assigned roles and permissions.
• Vendor information - names, categories, risk levels, and compliance status of vendors you add to the vendor risk management module.

2.2 Information collected automatically

When you use our Services, we automatically collect certain technical and usage information to maintain the platform, diagnose issues, and improve your experience. This includes:

• Device data - IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage data - pages visited, features used, time spent on each page, click paths, interaction patterns within the platform, framework completion progress, and dashboard views.
• Log data - server logs including HTTP request metadata, timestamps, referrer URLs, response codes, and error information. These logs are used for security monitoring and debugging.
• Authentication events - login timestamps, authentication method used (password, passkey, OTP), failed login attempts, and session duration.
• API usage - if you interact with our API, we log endpoint calls, request timestamps, and response status codes for rate limiting and abuse prevention.

2.3 Information from third-party integrations

When you connect third-party services to Evidr, we receive data from those services to automate compliance evidence collection. The specific data depends on which integrations you enable:

• AWS integration - IAM user and role configurations, S3 bucket policies, CloudTrail log summaries, Security Hub findings, GuardDuty alerts, encryption status of resources, VPC configurations, and other AWS security posture data relevant to your compliance frameworks.
• GitHub integration - repository metadata, branch protection rules, pull request review settings, code scanning alerts, Dependabot findings, commit signing configurations, and team access permissions. We do not access or store your source code.
• Google Workspace integration - admin directory user lists, MFA enrollment status, security settings, mobile device management policies, and domain-level security configurations.
• Okta integration - user directory information, MFA factor enrollment, authentication policies, application assignments, and group membership data relevant to access control compliance requirements.
• Vendor risk data - publicly available information about your vendors gathered from security rating services, breach databases, and certification registries to power vendor monitoring features.
• Payment and subscription data - payment status, subscription tier, billing cycle, and invoice history from Stripe.

You control which integrations are enabled and can disconnect any integration at any time from your workspace settings. Disconnecting an integration stops future data collection from that source but does not automatically delete previously collected evidence. You may delete previously collected evidence manually or request bulk deletion by contacting us.

We process your personal data for specific, legitimate purposes. We do not use your data in ways that are incompatible with the purposes described below. Our primary goal is to provide you with a reliable, secure compliance automation platform.

• Service delivery - to provide the Evidr compliance automation platform, including AI-powered evidence review with confidence scoring, automated policy generation, continuous monitoring of connected integrations, vendor risk assessments, team collaboration features, and auditor access portals.
• AI processing - to analyze uploaded evidence and assign confidence scores, generate policy and procedure documents tailored to your organization, provide intelligent compliance recommendations, and identify gaps in your compliance posture. AI processing is performed by third-party language model providers under strict data processing agreements.
• Account management - to create and manage your account, process subscription payments, handle plan upgrades and downgrades, manage team member invitations and role assignments, and provide customer support.
• Communication - to send evidence expiry reminders, vendor risk alerts, framework readiness notifications, audit preparation summaries, billing receipts, and critical platform notifications. We may also send occasional product updates, which you can opt out of.
• Integration management - to connect with your authorized third-party services, pull compliance-relevant data on your behalf, and maintain the health and status of those connections.
• Platform improvement - to analyze aggregate usage patterns, identify popular features and areas for improvement, diagnose and fix technical issues, and improve the accuracy of our AI models and compliance mapping.
• Security and fraud prevention - to detect and prevent unauthorized access, fraud, spam, abuse, and security incidents. This includes monitoring for suspicious login patterns, enforcing rate limits, and validating authentication credentials.
• Legal compliance - to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax reporting obligations and data protection regulations.

We will not use your personal data for purposes materially different from those described in this Policy without providing you notice and, where required by law, obtaining your consent. We do not use your compliance evidence or uploaded documents for any purpose other than providing the Services to you.

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR) and equivalent provisions in other applicable data protection laws:

• Consent - where you have given clear, affirmative consent for us to process your personal data for a specific purpose. This applies to optional communications such as marketing emails and product update newsletters. You may withdraw consent at any time without affecting the lawfulness of processing that occurred before the withdrawal.
• Contractual necessity - where processing is necessary to perform our contract with you, including providing the Evidr platform, processing your subscription, managing your account, delivering AI-powered compliance features, and maintaining your workspace. This is the primary legal basis for most of our data processing activities.
• Legitimate interest - where processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving the platform, ensuring security, preventing fraud, analyzing aggregate usage trends, and responding to support inquiries. We conduct balancing tests for all processing based on legitimate interest.
• Legal obligation - where processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting, responding to lawful government requests, or maintaining records required by applicable regulations.

You may withdraw your consent at any time by contacting us at [email protected]. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal. Where we process your data based on contractual necessity, withdrawing from the contract may require termination of your account and access to the Services.

If you have questions about which legal basis applies to a specific processing activity, contact us and we will provide a detailed explanation.

We use carefully selected third-party services to operate and deliver the Evidr platform. Each provider is subject to contractual data protection obligations and is only permitted to process your data for the purposes we specify. Below is a detailed description of each category of third-party service.

5.1 AI and language model providers

We use xAI (Grok) as our AI language model provider to power evidence review, policy generation, compliance gap analysis, and intelligent onboarding conversations. When you upload evidence or request AI-generated content, relevant data is sent to this provider for processing. The provider operates under a data processing agreement that prohibits the use of your data for model training.

Data sent to AI providers is limited to the specific content being analyzed (such as an uploaded evidence document or policy text). We do not send your full account profile, payment information, or data from other customers. AI provider responses are cached temporarily for performance and then discarded. See Section 9 (AI Data Processing) for full details on what data is and is not sent to AI providers.

5.2 Cloud infrastructure (AWS)

Our platform and all customer data are hosted on Amazon Web Services (AWS) in the US East (N. Virginia) region (us-east-1). Evidence files are encrypted at rest using AES-256 server-side encryption (SSE-S3). Database instances use encrypted storage volumes. All network traffic between our services traverses private VPCs with security group isolation.

AWS processes data in accordance with their shared responsibility model and the AWS Data Processing Addendum. AWS maintains SOC 2, ISO 27001, HIPAA, PCI DSS, and FedRAMP certifications for their infrastructure services. Our use of AWS is covered by their standard GDPR-compliant data processing addendum.

5.3 Payment processing (Stripe)

We use Stripe to process all subscription payments, manage billing cycles, issue invoices, and handle refunds. When you enter payment information, it is collected directly by Stripe using their client-side SDK. Your full card number never touches our servers. Stripe collects and processes payment information in accordance with PCI DSS Level 1 requirements.

Stripe retains payment data in accordance with their own privacy policy and PCI DSS obligations. We receive from Stripe only the information necessary to display your billing history, such as the last four digits of your card, card brand, expiration date, billing name, and transaction status. For more information, see Stripe's Privacy Policy.

5.4 Email services (AWS SES)

We use Amazon Simple Email Service (SES) to send transactional emails including evidence expiry reminders, vendor risk alerts, team invitation emails, OTP verification codes, account notifications, and billing receipts. Email content is transmitted over encrypted connections. We do not use third-party email marketing platforms.

AWS SES processes recipient email addresses and message content. Bounce and complaint data is tracked to maintain our sending reputation and comply with anti-spam regulations. We retain email delivery logs for up to 90 days for troubleshooting purposes.

5.5 Integration providers

When you connect third-party integrations (AWS, GitHub, Google Workspace, Okta), we use OAuth 2.0 tokens or API keys that you provide to access compliance-relevant data from those services. We request only the minimum scopes and permissions necessary to collect the specific data types described in Section 2.3. Access tokens are encrypted at rest. You can revoke integration access at any time from your workspace settings or from the third-party provider directly.

The following is a list of sub-processors that process personal data on our behalf. Each sub-processor is bound by a data processing agreement that imposes confidentiality and security obligations at least as protective as those described in this Policy. We will update this list when sub-processors change and, where required, provide advance notice to affected customers.

• Amazon Web Services (AWS) - Purpose: cloud infrastructure hosting, data storage, email delivery (SES), and compute services. Location: US East (N. Virginia), us-east-1. DPA status: AWS Data Processing Addendum in effect.
• xAI (Grok) - Purpose: AI language model processing for evidence review, policy generation, and compliance analysis. Location: United States. DPA status: data processing agreement in effect; zero-day data retention; no training on customer data.
• Stripe, Inc. - Purpose: payment processing, subscription management, invoicing, and billing. Location: United States. DPA status: Stripe Data Processing Agreement in effect; PCI DSS Level 1 certified.
• Amazon Simple Email Service (SES) - Purpose: transactional email delivery including OTP codes, evidence reminders, vendor alerts, and account notifications. Location: US East (N. Virginia), us-east-1. DPA status: covered under AWS Data Processing Addendum.

We do not engage sub-processors for advertising, behavioral analytics, or cross-site tracking. If we add a new sub-processor that processes personal data in a materially different way, we will update this section and notify enterprise customers with active DPAs at least 30 days in advance.

7.1 What are cookies?

Cookies are small data files stored on your device by a website. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain until they expire or you delete them) to provide functionality, maintain your authenticated session, and remember your preferences.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. Our cookie usage is limited to what is strictly necessary for platform operation and user preference storage.

7.2 Specific cookies we use

• Authentication token - a secure, HttpOnly JWT stored as a cookie to maintain your authenticated session. Expires after 7 days of inactivity or upon logout. This cookie is essential and cannot be disabled.
• Session identifier - a short-lived session cookie used to associate your browser with an active server session. Expires when the browser is closed or after 24 hours, whichever comes first.
• CSRF token - a security cookie used to prevent cross-site request forgery attacks on form submissions and state-changing API calls. Regenerated per session.
• Theme preference - stores your selected visual theme (light or dark mode). Persistent cookie, expires after 365 days.
• Sidebar state - remembers whether the navigation sidebar is expanded or collapsed. Persistent cookie, expires after 365 days.
• Cookie consent - records whether you have acknowledged the cookie notice. Persistent cookie, expires after 365 days.

7.3 Local storage

In addition to cookies, we use browser local storage to persist certain user interface preferences, such as the last viewed dashboard tab, selected framework filter, and notification dismissals. Local storage data never leaves your browser and is not transmitted to our servers.

7.4 Managing cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified before a cookie is set. Please note that disabling essential cookies (authentication and CSRF tokens) will prevent you from using the platform, as these are required for secure session management.

Our platform uses AI to review uploaded compliance evidence and assign confidence scores ranging from 0% to 100%. These scores indicate the AI's assessment of how well a given piece of evidence satisfies a specific compliance control. Scores are advisory in nature and do not produce legal effects or similarly significantly affect you.

All AI-generated assessments, confidence scores, and recommendations can be reviewed, accepted, or overridden by authorized users within your workspace. The platform is designed as a tool to assist human decision-makers, not to replace them. Your compliance team retains full control over which evidence is mapped to which controls and whether evidence is marked as satisfactory.

We do not use automated decision-making for any purpose that produces legal effects or similarly significantly affects individuals without human oversight. Specifically, we do not make automated decisions about employment, credit, insurance, housing, or any other consequential matters. Billing and subscription management decisions (such as plan enforcement and usage limits) are based on transparent, pre-defined rules rather than AI-driven profiling.

9.1 What data is sent to AI providers

When you use AI-powered features, the following types of data may be sent to our AI provider (xAI/Grok) for processing:

• The content of evidence documents you upload for AI review (text extracted from PDFs, images via OCR, spreadsheet content).
• Policy and procedure text submitted for AI generation or refinement.
• Onboarding conversation messages where you describe your organization and compliance goals.
• Control descriptions and framework requirements used as context for evidence evaluation.

9.2 What data is NOT sent to AI providers

The following data is never transmitted to AI providers:

• Your account credentials, passwords, passkeys, or authentication tokens.
• Payment information, credit card details, or billing data.
• Data from other customers or other workspaces (strict tenant isolation).
• Integration OAuth tokens or API keys for connected services.
• Raw data pulled from integrations (AWS configs, GitHub settings, Okta directories) - only user-uploaded evidence is sent to AI.
• Team member personal information beyond what appears in the specific document being reviewed.

9.3 AI provider data handling

Our AI provider operates under a zero-day data retention policy, meaning your data is not stored by the AI provider after processing is complete. Inputs and outputs are discarded immediately after the response is generated. Your data is not used to train, fine-tune, or improve the AI provider's models. This is contractually guaranteed through our data processing agreement with the provider.

9.4 Prompt injection and safety

We implement input sanitization to mitigate prompt injection attacks in uploaded documents. Evidence content is preprocessed before being sent to the AI provider to strip known injection patterns. AI outputs are validated and sanitized before being displayed to users. Rate limiting is enforced on all AI endpoints to prevent abuse, with per-user and per-workspace limits applied on a rolling window basis.

9.5 AI output accuracy

AI-generated content, including confidence scores, policy drafts, and compliance recommendations, may contain inaccuracies. All AI output should be reviewed by qualified compliance personnel before being relied upon for audit or regulatory purposes. Evidr does not guarantee the accuracy of AI-generated assessments and is not a substitute for professional compliance advice.

We do not sell, rent, or trade your personal data. We have never sold personal data and have no plans to do so. We may share your information only in the following limited circumstances:

• Service providers and sub-processors - with trusted third-party vendors who assist in operating the platform, as described in Sections 5 and 6 (cloud hosting, AI providers, payment processing, email delivery). These providers are contractually obligated to protect your data, process it only as we instruct, and delete it when no longer needed.
• Team members - with other members of your organization who have been granted access to your compliance workspace. Data visibility is governed by role-based access controls configured by your workspace administrators. Team members can only see data within their assigned workspace.
• Auditors - with auditors you explicitly invite to access your compliance data through the auditor portal. Auditor access is read-only, time-limited, and restricted to the specific frameworks and evidence you choose to share. Auditors cannot modify, download in bulk, or export your data beyond what the auditor portal permits.
• Legal requirements - when required by law, regulation, legal process, subpoena, court order, or enforceable governmental request. We will attempt to notify you before disclosing your data unless legally prohibited from doing so.
• Business transfers - in connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, in which case your data may be transferred to the acquiring entity. We will provide notice of any such change via email and/or a prominent notice on our website at least 30 days before the transfer occurs.
• With your consent - in any other circumstance where you have provided explicit, informed consent to the specific sharing.

We do not share personal data with third parties for their own marketing or advertising purposes. We do not participate in data broker networks or sell data to data aggregators.

Your information may be transferred to and processed in countries other than your country of residence. Our primary infrastructure is hosted in the United States (AWS us-east-1). If you are located outside the United States, your data will be transferred to the United States for processing.

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision from the European Commission, we implement appropriate safeguards to ensure your data receives an adequate level of protection. These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors.
• The EU-U.S. Data Privacy Framework, where applicable and where our sub-processors are certified participants.
• Supplementary technical measures including encryption in transit and at rest, access controls, and pseudonymization where feasible.

You may request a copy of the specific safeguards we apply to international transfers of your data by contacting us at [email protected]. We will provide the relevant documentation within a reasonable timeframe.

Our primary data processing and storage region is AWS US East (N. Virginia), us-east-1. All customer data, including uploaded evidence, database records, and file attachments, is stored in this region by default.

At this time, we do not offer guaranteed single-region data residency or the ability to select a specific geographic region for data storage. Data may be processed in other regions transiently during certain operations (for example, when data passes through AI providers located in the United States).

Customers located in the European Union or European Economic Area who require formal data residency guarantees may request a Data Processing Agreement (DPA) that documents the applicable transfer mechanisms and safeguards. Contact us at [email protected] to discuss your data residency requirements.

Evidr is a multi-tenant platform, meaning multiple customer organizations share the same underlying infrastructure. However, we implement strict logical data isolation to ensure that no customer can access another customer's data.

Every customer organization operates within an isolated workspace identified by a unique company identifier. All database queries are scoped to the requesting company's identifier using row-level security policies enforced at the database layer. This means that even in the event of an application-level bug, database-level controls prevent cross-tenant data leakage.

Uploaded evidence files are stored in Amazon S3 with per-company key prefixes. Access to S3 objects is controlled through application-level authorization that validates the requesting user's company membership before generating signed URLs. There is no shared file namespace between customers.

API endpoints enforce workspace-scoped authorization on every request. Team members, auditors, and administrators can only access resources belonging to their own workspace. Cross-workspace access is not possible through the application interface or API, regardless of user role or permission level.

We implement comprehensive technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Security is a core concern for a compliance platform, and we hold ourselves to the standards we help our customers achieve.

14.1 Encryption

• At rest - all uploaded evidence files are encrypted using AES-256 server-side encryption (SSE-S3). Database storage volumes use AES-256 encryption. Backup snapshots are encrypted.
• In transit - all data transmitted between your browser and our servers is protected by TLS 1.2 or higher. Internal service-to-service communication within our infrastructure also uses TLS encryption. We enforce HTTPS on all endpoints and redirect HTTP requests to HTTPS.

14.2 Authentication and access control

• WebAuthn / passkeys - we support FIDO2 WebAuthn passkeys as a phishing-resistant authentication method, in addition to traditional email/password authentication.
• One-time passwords (OTP) - OTP codes are SHA-256 hashed before storage. After five consecutive failed OTP attempts, the code is invalidated and the user must request a new one. OTP codes expire after 10 minutes.
• JWT token management - authentication tokens are signed JWTs with configurable expiration. Tokens are stored as HttpOnly, Secure, SameSite cookies to prevent XSS-based theft. Token refresh is handled server-side.
• Role-based access controls - workspace access is governed by roles (owner, admin, member, auditor) with granular permissions. Each role has a defined set of allowed actions enforced at both the API and database layers.
• Distributed locking - critical operations such as billing state changes and evidence processing use distributed locks to prevent race conditions and ensure data consistency.

14.3 Application security

• Web Application Firewall (WAF) - AWS WAF rules protect against common web exploits including SQL injection, cross-site scripting (XSS), and malicious request patterns.
• Content Security Policy (CSP) - strict CSP headers are enforced to prevent unauthorized script execution and data exfiltration.
• Helmet middleware - HTTP security headers are set using Helmet, including X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
• CORS policy - Cross-Origin Resource Sharing is restricted to our own domains (https://evidr.com and https://console.evidr.com). Requests from unauthorized origins are rejected.
• Rate limiting - rate limits are enforced on authentication endpoints, billing endpoints, AI processing endpoints, and API routes to prevent brute-force attacks and abuse.
• Credential detection - automated scanning detects credentials, API keys, and other sensitive data in uploaded documents and alerts users before evidence is stored.

14.4 Infrastructure security

• Private VPC isolation with security groups restricting network access to only necessary ports and protocols.
• Automated security patching and updates for operating systems and dependencies.
• Encrypted database backups with point-in-time recovery capabilities.
• Monitoring and alerting for anomalous access patterns and potential security events.

While we implement extensive security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but maintain protections that meet or exceed industry standards for compliance automation platforms. If you discover a security vulnerability, please report it responsibly to [email protected].

We maintain a documented incident response plan that is reviewed and tested regularly. In the event of a personal data breach likely to result in risk to your rights and freedoms, we follow a structured response procedure.

15.1 Detection and containment

Upon detecting or being notified of a potential breach, our incident response team immediately assesses the scope and severity. Containment measures are implemented within the first hour, which may include revoking compromised credentials, isolating affected systems, blocking malicious IP addresses, and preserving forensic evidence.

15.2 Assessment and classification

The incident is classified by severity (critical, high, medium, low) based on the type of data involved, number of affected individuals, and potential impact. Our Data Protection Officer is notified of all incidents classified as high or critical severity within 4 hours of detection.

15.3 Notification

• Supervisory authorities - we will notify the relevant data protection supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals, as required by GDPR Article 33.
• Affected individuals - we will notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34. Notification will be sent via email and, where appropriate, via in-platform alerts.
• Affected customers - workspace owners and administrators will be notified of any breach affecting their organization's data, including a description of the breach, the types of data involved, and the measures taken or proposed to address the breach.

15.4 Remediation and post-incident review

Following containment, we implement remediation measures to address the root cause and prevent recurrence. A post-incident review is conducted within 14 days of resolution, documenting lessons learned, timeline of events, and any changes to security controls. The incident and all associated actions are logged in our incident register.

15.5 Communication plan

Breach notifications to affected individuals include: a description of the nature of the breach, the name and contact details of our Data Protection Officer, a description of the likely consequences, and a description of the measures taken or proposed to address the breach and mitigate its effects. Notifications are written in clear, plain language.

We retain your personal data only as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Below are specific retention periods by data type.

16.1 Retention periods

• Account data - retained for the duration of your active subscription. After account deletion or subscription cancellation, account data is retained for 90 days in case of reactivation, then permanently deleted.
• Compliance evidence files - retained until you delete them or close your account. Upon account closure, evidence files are permanently deleted from primary storage within 30 days and from backups within 90 days.
• AI-generated content - policy drafts, confidence scores, and AI recommendations are retained for the duration of your subscription as part of your workspace data. Deleted with your account upon closure.
• Audit logs - in-platform audit trail entries (who did what, when) are retained for the duration of your subscription. These logs are essential for compliance and cannot be selectively deleted while your account is active.
• Integration data - data pulled from connected integrations is retained until you disconnect the integration and delete the associated evidence, or until account closure.
• Payment records - billing history, invoices, and transaction records are retained for 7 years after the transaction date, as required by United States federal tax regulations and applicable financial record-keeping laws.
• Server and application logs - retained for up to 90 days for security monitoring, debugging, and performance analysis, then automatically purged.
• Email delivery logs - retained for up to 90 days for troubleshooting email delivery issues, then automatically purged.
• Support correspondence - retained for 2 years after the last interaction for quality assurance and dispute resolution purposes.
• Cookie and session data - session cookies are deleted when you close your browser. Persistent cookies expire according to the timeframes listed in Section 7.2.

16.2 Deletion process

When data reaches the end of its retention period, or when you request deletion, we use secure deletion methods. Files are permanently removed from S3 storage. Database records are hard-deleted (not soft-deleted). Backup copies are purged as backup snapshots age out of their retention window, which is a maximum of 90 days.

You may request deletion of your personal data at any time by contacting us at [email protected]. We will process deletion requests within 30 days and confirm completion.

Depending on your jurisdiction, you may have the following rights regarding your personal data. We are committed to honoring these rights promptly and transparently.

• Right of access - request a copy of the personal data we hold about you. We will provide this in a commonly used electronic format within 30 days.
• Right to rectification - request correction of inaccurate or incomplete data. You can update most account information directly in your workspace settings.
• Right to erasure - request deletion of your personal data, subject to legal retention requirements. We will delete or anonymize your data and confirm the action.
• Right to restrict processing - request that we limit how we use your data while we verify its accuracy or assess your objection.
• Right to data portability - request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV). This includes your uploaded evidence, compliance mappings, and account information.
• Right to object - object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent - withdraw consent at any time where processing is based on consent. This does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to automated decisions - request human review of any decision made solely by automated means that significantly affects you. As noted in Section 8, our AI features are advisory and do not produce such decisions.

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request and respond within 30 days. If we need an extension due to the complexity or volume of requests, we will notify you within the initial 30-day period with an explanation and a revised timeline not exceeding an additional 60 days.

You will not be charged a fee for exercising your rights unless your request is manifestly unfounded or excessive (for example, repetitive requests). In such cases, we may charge a reasonable fee or decline the request, and we will explain our reasoning.

Enterprise customers with an active Data Processing Agreement (DPA) may audit our compliance with this Policy and the terms of the DPA. Audit requests must be submitted in writing to [email protected] with at least 30 days advance notice.

Audits will be conducted during normal business hours and will be limited in scope to the processing activities covered by the DPA. We may require the auditor to sign a confidentiality agreement before accessing our facilities or documentation. To minimize disruption, we encourage customers to rely on our compliance certifications and third-party audit reports where available, and to coordinate audit activities to avoid redundancy.

We will cooperate in good faith with reasonable audit requests, provide access to relevant documentation and personnel, and address any findings within an agreed-upon remediation timeline.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights apply to personal information as defined under California law.

• Right to know - you may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom it was shared.
• Right to delete - you may request deletion of your personal information, subject to certain exceptions (such as completing a transaction, detecting security incidents, or complying with legal obligations).
• Right to correct - you may request correction of inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing - we do not sell your personal information and do not share it for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor such requests as a matter of policy.
• Right to limit use of sensitive personal information - we only use sensitive personal information (if any) for purposes permitted under the CPRA, such as providing the Services you requested.
• Right to non-discrimination - we will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or be denied service for making a rights request.

To submit a verifiable consumer request, contact us at [email protected]. We will verify your identity using information already associated with your account and respond within 45 days. If we need additional time, we will notify you of the extension (up to an additional 45 days) and explain the reason.

You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization signed by you, and we may still require you to verify your identity directly with us.

Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents who provide personal information to a business in connection with obtaining products or services may request information regarding disclosure of personal information to third parties for their direct marketing purposes.

We do not share personal information with third parties for their own direct marketing purposes. If our practices change in the future, we will update this Policy and provide you with an opportunity to opt out. Contact us at [email protected] with questions about this provision.

Nevada residents may opt out of the sale of certain "covered information" as defined by Nevada Revised Statutes Chapter 603A (SB 220). Covered information includes a consumer's name, email address, phone number, and other identifying information.

We do not currently sell covered information as defined by Nevada law. However, if you are a Nevada resident and wish to submit an opt-out request for future protection, you may do so by emailing [email protected] with the subject line "Nevada Opt-Out." We will respond to verified requests within 60 days.

Our Services are designed for business use and are not directed to individuals under the age of 16. We do not knowingly collect, solicit, or maintain personal data from children under 16 years of age. Our account registration process requires users to confirm they are at least 16 years old.

If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take prompt steps to delete that data from our systems. If you believe that a child under 16 has provided us with personal data, contact us immediately at [email protected] so we can investigate and take appropriate action.

Some browsers include a "Do Not Track" (DNT) signal that requests websites not to track browsing activity. There is currently no universally accepted standard for how companies should respond to DNT signals, and the World Wide Web Consortium (W3C) has not finalized a specification.

At this time, we do not alter our data collection or processing practices in response to DNT signals. However, as noted in Section 7, we do not use third-party advertising trackers or cross-site tracking technologies, so our tracking practices are inherently limited to what is necessary for platform operation. If a universal DNT standard is established, we will update this Policy to reflect our compliance approach.

We offer Data Processing Agreements (DPAs) to customers who require them, particularly those subject to GDPR, HIPAA, or other regulations that mandate formal data processing agreements between controllers and processors.

Our standard DPA covers the requirements of GDPR Article 28, including: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, the obligations and rights of the controller, sub-processor management, data breach notification, data deletion and return, audit rights, and international transfer mechanisms.

To request a DPA, contact us at [email protected] with the subject line "DPA Request." We will provide our standard DPA for review and execution. Enterprise customers may negotiate custom DPA terms as part of their subscription agreement.

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, as required by GDPR Article 35. This includes assessments for our AI-powered evidence processing, automated confidence scoring, and large-scale processing of compliance data.

Our DPIA process evaluates the necessity and proportionality of the processing, identifies and assesses risks to data subjects, and documents the measures we implement to mitigate those risks. DPIAs are reviewed and updated when there are material changes to our processing activities or when new features are introduced that involve high-risk processing.

If you have questions about our DPIA processes or would like to understand the assessments we have conducted for processing activities that affect your data, contact our Data Protection Officer at [email protected].

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect your rights or the way we process your data, we will provide prominent notice at least 30 days before the changes take effect. Notice may be provided via email to the address associated with your account, via an in-platform banner or notification, or via a prominent notice on our website.

Your continued use of the Services after the effective date of a revised Policy constitutes acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Services and contact us to delete your account and data.

If you have questions about this Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, contact us using the information below:

• Email: [email protected]
• Company: Evidr LLC
• Product: Evidr
• Location: New York, New York, United States
• Website: https://evidr.com
• Console: https://console.evidr.com

For GDPR-related inquiries, data subject access requests, or any matter relating to this Privacy Policy, contact our Data Protection Officer at the email address above with the subject line "DPO Inquiry." Our DPO is responsible for overseeing our data protection strategy, monitoring compliance with GDPR and other applicable data protection laws, and serving as the point of contact for data protection authorities.

We take all privacy inquiries seriously and will acknowledge receipt of your request within 5 business days. Substantive responses will be provided within 30 calendar days unless the complexity of the request requires additional time, in which case we will keep you informed of our progress.

If you are located in the European Economic Area and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at the European Data Protection Board.

If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO). If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC).

We encourage you to contact us first so we have the opportunity to address your concerns directly. In many cases, we can resolve data protection issues more quickly through direct communication than through the formal complaint process.